Buying or Selling IPv4 Addresses?

Watch this video to discover how ACCELR/8, a transformative trading platform developed by industry veterans Marc Lindsey and Janine Goodman, enables organizations to buy or sell IPv4 blocks as small as /20s.

I have previously pointed out the shortcomings of good and user friendly support for DNSSEC in Microsoft's Server 2008 R2. During the period just after I wrote the post [Swedish], I had a dialogue with Microsoft, but during the last months there has been no word at all.

The reason I bring this up again is that more and more Top Level Domains (TLDs) now enable DNSSEC and also the fact that within six months the root will be signed. Since my initial post, Microsoft have updated their guide on how to activate the signing and validation of DNSSEC.

The document, "DNS_SVR2008R2_DNSSEC.doc", has now expanded from 30 pages to 80 pages — but this newer, more comprehensive version, hasn't made it any easier to configure their product, as you all can imagine. With this said, it is important to point out that there are other systems out on the market that handle DNSSEC in a good and user friendly way — and I really think Microsoft should be amongst them!

My view on requirements for the use of Microsoft's DNS with DNSSEC:

A functional GUI!

Today Microsoft uses only a command-line based system were the commands in turn uses many complex parameters. A Windows administrator in general is most familiar with things like "right click-> Properties-> sign domain" or "right click-> Properties-> DNSSEC settings". If we compare the handling in Windows with the most common used open source products, the latter is much easier to use.

Distribution of Trust Anchors!

I strongly suggest that Microsoft uses Windows Update for the handling of Trust Anchor, since the interface in the DNS-manager is nothing short of horrible.

There are some third party products on the market that solve some of the problems with the distribution of Trust Anchors and GUI, but how many users understand or accept that they must invest in, and use, a third party solution?

Support for NSEC3!

There is only support for NSEC and no support for signing and validating NSEC3 in Microsoft's products. Almost all new TLD's uses NSEC3 and with Microsoft's DNS we cannot validate these TLD's . How will Microsoft act here? On page 60 in "DNS_SVR2008R2_DNSSEC.doc" they state what can and cannot be done with NSEC3. Therefore it seems that they have support for NSEC3 — but the simple fact is that they have not!

In one of the responses to my earlier questions Microsoft said that the NSEC3 standard was completed too late in order to be implemented in Server 2008 R2. This gives an indication of the sometimes superior speed that open source programs offer. Many of the DNS appliances use BIND/NSD/Unbound and can therefore easily implement NSEC3 since these platforms have had that support for a long time.

But a solution might be on its way. I have, from an undisclosed sources, heard rumors that Microsoft will support RSA/SHA256 in an upcoming service pack/update/version and if so they will be able to support NSEC3 at the same time!

Workarounds for validation!

Microsoft has, from a simplified point of view, two server platforms, Windows Server 2008 and Small Business Server 2008. The DNS servers in both platforms uses default root hints and a DNS-forwarder towards a DNS of your choice via configuration and can therefore easily obtain validation via DNSSEC.

For example: Microsoft DNS — > validating DNS — -> Internet

The validating DNS can be an internal DNS or your ISP's DNS. You can easily test if a DNS validate DNSSEC by check the status at test.ipv6.tk. Remember that you have to change your computers DNS to the DNS you want to test.

Signing dynamic zones!

If Microsoft reworks and updates their DNSSEC implementation according to my ideas, it is also possible that they will not only support the signing of static offline zones. They should also support the signing of dynamic zones. That is for example handle zones generated on AD-data and dynamic addresses. This should be most welcomed but I also believe that the internal zones inside the domain needs to be secured towards the internal clients!

Future Internet

There are two things on the Internet today which I think are most important to the continued development of a secure, stable and scalable Internet; One is DNSSEC, where Microsoft today (unfortunately) simply can't match my expectations and need and competition from other products. The second is IPv6, where Microsoft on the other hand offers the, by far, best support for IPv6 in all available operating systems!

My thoughts can be summarized in one question: -Will Microsoft settle for only half of the solution?

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

Related

A look into the past reveals that continuous developments in weaponry technology have been the reason for arms control conventions and bans. The banning of the crossbow by Pope Urban II in 1096, because it threatened to change warfare in favour of poorer peasants, the banning of poisoned bullets in 1675 by the Strasbourg Agreement, and the Geneva protocol banning the use of biological and chemical weapons in 1925 after world war 1, all prove that significant technological developments have caused the world to agree not to use certain weapons. more

A colleague was recently commenting on an article by Michele Neylon "European Data Protection Authorities Send Clear Message to ICANN" citing the EU Data Commissioners of the Article 29 Working Party, the grouping a determinate factor In the impending death of WHOIS. He is on point when he said: What the European Data Protection authorities have not yet put together is that the protection of people's mental integrity on the Internet is not solely due to the action of law enforcement... more

One of the problems with trying to secure systems is the lack of knowledge in the community about what has or hasn't worked. I'm on record as calling for an analog to the National Transportation Safety Board: a government agency that investigates major outages and publishes the results. In the current, deregulatory political climate, though, that isn't going to happen. But how about a voluntary system? more

There was one message which overshadowed all discussions at the 5th Global Conference on Cyber Space (GCCS) in New Delhi in November 2017: Instability in cyberspace is as dangerous as climate change. With four billion Internet users and five trillion dollars annually in digital transactions, instability in cyberspace has the potential to ruin the world. more

The Mirai DDOS attack happened just over a year ago, on the 21st October 2016. The attack was certainly a major landmark regarding the sorry history of "landmark" DDOS attacks on the Internet. It's up there with the Morris Worm of 1988, Slammer of 2002, Sapphine/Slammer of 2009 and of course Conficker in 2008. What made the Mirai attack so special? more

IBM Security, Packet Clearing House (PCH) and Global Cyber Alliance (GCA) unveiled a free Domain Name System (DNS) service designed to protect all Internet users from a wide range of common cyber threats. Launched on November 16 with simultaneous press events in London, Maputo and New York, the public DNS resolver has strong privacy and security features built-in and can be enabled with a few changes to network settings, as outlined on the organisation's website. more

Consumers are embracing VoIP services now more than ever as they get used to calling over Internet application services such as Skype, Facetime, and Google Hangouts. Market Research Store predict that the global value of the VoIP services market is expected to reach above USD140 billion in 2021, representing a compound annual growth rate of above 9.1% between 2016 and 2021. more

Confronted with the rapid development of the Internet, the traditional network is facing severe challenges. Therefore, it is imperative to accelerate the construction of global network infrastructure and build a new generation of Internet infrastructure to adapt to the Internet of Everything and the intelligent society. From November 28 to 30, 2017, "GNTC 2017 Global Network Technology Conference" organized by BII Group and CFIEC, will see a grand opening in Beijing. more

The world has officially entered what the MLi Group labels as the "New Era of The Unprecedented". In this new era, traditional cyber security strategies are failing on daily basis, political and terrorist destruction-motivated cyber attacks are on the rise threatening "Survivability", and local political events unfold to impact the world overnight and forever. Decision makers know they cannot continue doing the same old stuff, but don't know what else to do next or differently that would be effective. more

The argument for end-to-end encryption is apparently heating up with the work moving forward on TLSv1.3 currently in progress in the IETF. The naysayers, however, are also out in force, arguing that end-to-end encryption is a net negative... The idea of end-to-end encryption is recast as a form of extremism, a radical idea that should not be supported by the network engineering community. Is end-to-end encryption really extremist? Is it really a threat to the social order? more

RIPE held its 75th meeting in Dubai in mid-October. As usual, there was a diverse set of presentations covering a broad range of activities that are taking place on today's Internet. The topics include issues relating to network operations, regulatory policies, peering and interconnection, communications practices within data centers, IPv6, the DNS, routing and network measurement. If that's not enough, the topic of the Internet of Things has been added as a Working Group in the RIPE pantheon. If you add address policy, database and RIPE services to the mix, you get a pretty packed five days with topics that would appeal to most Internet folks. more

IPAM solutions are the source of truth for IP resources on the network, but when performing IPAM functions such as assignments, reconciliations, DNS updates, network plans, or Regional Internet Registry (RIR) requests, IPAM is often limited by its integration with an OSS. Operational teams can find it challenging to complete routine tasks without an integrated IPAM solution due to siloed data pools and swivel-chair environments. more

One of the most profoundly disruptive developments occurring in the cyber security arena today is the headlong rush by a set of parties to ubiquitously implement extreme End-to-End (e2e) encryption for communication networks using essentially unbreakable encryption technology. A notable example is a new version of Transport Layer Security (TLS) known as version 1.3. The activity ensues largely in a single venue... more

The best and most knowledgeable experts of dot Brand met in the Brands and Domains conference, on October 2 and 3 in the Hague, Netherlands. Brand and project owners were also present, coming from all around the world -- from Australia or Japan to the USA and Canada. The keynote by Georges-Edouard Dias, CEO of Quantstreams and founder of the concept of brand hospitality, explained how customers are not anymore the targets of brands. more

Rep's Graves and Sinema recently introduced H.R. 4036, the catchily named Active Cyber Defense Certainty Act or ACDC act which creates some exceptions to criminal parts of computer crime laws. Lots of reports have decried "hack back" but if you read the bill, it's surprisingly well targeted. The first change is to what they call Attributional Technology, and says it's OK to put bait on your computer for an intruder intended to identify the intruder. more

Promoted Post

Buying or Selling IPv4 Addresses?

Watch this video to discover how ACCELR/8, a transformative trading platform developed by industry veterans Marc Lindsey and Janine Goodman, enables organizations to buy or sell IPv4 blocks as small as /20s.

Avenue4 LLCRead2607

A World-Renowned Source for Internet Developments. Serving Since 2002.